NAIROBI, Kenya — Amnesty International Kenya has raised alarm over widespread non-compliance with Kenya’s data protection laws among civil society organisations (CSOs), warning that the cost is already being felt through fines, lost funding opportunities, and eroding public trust.
In a detailed policy commentary, the rights group said many organisations still operate under the mistaken belief that the Data Protection Act (Kenya) does not apply to them.
“We didn’t think this applied to us,” is a common response from programme officers and executives when confronted with compliance issues, the organisation noted.
Under the law, any entity that collects, stores, or processes personal data qualifies as a data controller or processor, regardless of size or mission. This includes nearly all CSOs, particularly those working with vulnerable populations.
The organisation pointed to direct financial exposure as the most visible consequence. The Act provides for penalties of up to Sh5 million or 1pc of an organisation’s annual turnover, whichever is lower. For donor-funded organisations managing multi-million-shilling budgets, such penalties can significantly disrupt programming.
Regulatory enforcement is also intensifying. The Office of the Data Protection Commissioner has stepped up investigations, issued determinations, and enforced compliance orders, signalling a shift from advisory oversight to active regulation.
Beyond fines, Amnesty Kenya noted that responding to investigations diverts already limited resources, requiring legal counsel, internal audits, and administrative time that would otherwise support programme delivery.
However, the organisation emphasised that the most damaging consequences are often indirect and long-term.
International donors, particularly those aligned with the General Data Protection Regulation, are increasingly making compliance a prerequisite for funding.
Grant agreements now routinely include strict data governance clauses, and due diligence processes assess whether organisations are registered with regulators, maintain proper data records, and have internal privacy systems.
Failure to meet these standards can result in disqualification from funding opportunities altogether. “A CSO loses not just one grant, but its positioning in a competitive funding landscape,” the commentary noted, warning that compliance is fast becoming a proxy for institutional credibility.
At the community level, the risks are equally severe. Many CSOs handle highly sensitive personal data, including information from survivors of gender-based violence, refugees, and persons living with HIV. Any breach or perceived mishandling can destroy trust, reduce participation, and undermine years of engagement.
Reputational harm within Kenya’s tightly networked civil society space further compounds the problem. Complaints, enforcement actions, or public criticism can spread quickly, affecting partnerships, media relations, and coalition-building efforts long after legal issues are resolved.
The organisation also highlighted a lesser-known risk: personal liability. Under certain circumstances, senior officials and decision-makers may be held individually accountable for failures to comply with the law.
Amnesty Kenya urged CSOs to reframe data protection from a compliance burden to a strategic necessity. “The question is not whether organisations can afford compliance, but whether they can afford the consequences of failing to comply,” the analysis stated.
The warning comes amid growing scrutiny of data governance practices across sectors in Kenya, as regulators seek to align the country with global standards on privacy and data security.
As enforcement tightens and donor expectations evolve, Amnesty Kenya argues that organisations that invest early in compliance will be better positioned to sustain funding, protect beneficiaries, and maintain credibility in an increasingly regulated environment.
The message to civil society, it concluded, is clear: the cost of non-compliance is no longer hypothetical—it is already being paid.
